Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.
You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.
The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.
"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.
"Unlike other cases we kind of stumbled upon the first indications of this vulnerability by pure coincidence (we did not search for Outlook vulnerabilities). We knew something was seriously wrong when we noticed that the contents of S/MIME encrypted mails were shown in Outlook Web Access."
There are other side effects, depending on how you have Outlook configured. If you're using Outlook with Exchange then the unwanted plain text email is only sent one hop to the intended recipient and can't be forwarded on.
But if you're running Outlook under SMTP then the unwanted email leaks to not only the recipient but also to all mail servers along the path. Potentially that's a security nightmare.
Microsoft claimed the exploitation of this bug was "unlikely" in the wild. Some infosec professionals argued it was a little too easy to exploit:
Outlook S/MIME bug is absolutely reproducible, I just did it. Does not need an attacker. Microsoft have classified it wrong. @msftsecurity— Kevin Beaumont 🙃 (@GossiTheDog) October 10, 2017
SEC Consult said it noticed the issue in May, reported it Microsoft, and hadn't heard back from the Windows giant as to how long this has been a problem. Redmond fixed the issue in October's Patch Tuesday bundle, so apply the security update as soon as possible. And also consider that any plain-text-formatted S/MIME messages sent from Outlook may have been read over the wire by miscreants. ®